CRL

CRL Management

By default, the CRL is valid for one week. This value can be configured. New CRLs are issued:

• When approximately 60% of the CRL validity period has passed

• Immediately following the revocation of a certificate

It is possible to recreate a specified CRL using the ICA Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication. Management Tool. The utility acts as a recovery mechanism in the event that the CRL is deleted or corrupted. An administrator can download a DER encoded version of the CRL using the ICA Management Tool.

CRL Modes

The ICA can issue multiple CRLs. Multiple CRLs prevent one CRL from becoming larger than 10K. If the CRL exceeds 10K, IKE negotiations can fail when trying to open VPN tunnels.

Multiple CRLs are created by attributing each certificate issued to a specified CRL. If revoked, the serial number of the certificate shows in the specified CRL.

The CRL Distribution Point (CRLDP) extension of the certificate contains the URL of the specified CRL. This ensures that the correct CRL is retrieved when the certificate is validated.

CRL Operations

You can download, update, or recreate CRLs through the ICA management tool.

To do operations with CRLs

1. In the Menu pane, select Manage CRLs.

2. From the drop-down box, select one or more CRLs.

3. Select an action:

   • Click Download to download the CRL.

   • Publish the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. session to renew the CRL after changes have been made to the CRL database.

     This operation is done at an interval set by the CRL Duration attribute.

   • Click Recreate to recreate the CRL.